CN115146318A - Virtual disk safe storage method - Google Patents
Virtual disk safe storage method Download PDFInfo
- Publication number
- CN115146318A CN115146318A CN202211068135.2A CN202211068135A CN115146318A CN 115146318 A CN115146318 A CN 115146318A CN 202211068135 A CN202211068135 A CN 202211068135A CN 115146318 A CN115146318 A CN 115146318A
- Authority
- CN
- China
- Prior art keywords
- virtual disk
- file
- qcow2
- mirror image
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0638—Organizing or formatting or addressing of data
- G06F3/064—Management of blocks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0638—Organizing or formatting or addressing of data
- G06F3/0643—Management of files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0638—Organizing or formatting or addressing of data
- G06F3/0644—Management of space entities, e.g. partitions, extents, pools
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0662—Virtualisation aspects
- G06F3/0664—Virtualisation aspects at device level, e.g. emulation of a storage device or system
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a virtual disk safe storage method, which comprises the following steps: creating a group of partitioned virtual disk files by using a qemu-img tool, wherein the partitioned information of the virtual disk files is written into a file header of a mirror image of a first virtual disk file; starting a virtual machine, appointing a first virtual disk file of a virtual disk image through a qemu-kvm program, reading the blocking information, and finding out images of other virtual disk files; opening a qcow2 virtual disk at qemu, and establishing block meta information through block information; and respectively sending the corresponding read-write requests to the virtual disk files of the corresponding virtual disk images for processing according to the range of the blocks of the corresponding read-write requests. The invention stores the data in different virtual disk files, and can not recover the content of the complete mirror image under the condition that a part of the mirror image is stolen, thereby ensuring the safety of the data in the virtual disk mirror image.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a virtual disk secure storage method.
Background
In the cloud computing era, processing and storage of mass data are not required, a safe disk image storage method is often required for storage of the mass data, and once a problem occurs in disk image, data security of a cloud computing center is seriously influenced. In order to improve the data security of the disk mirror image of the mass virtual machine, encryption is often required during data storage, and decryption is often required during use.
In principle, the problems to be solved by secure storage are two:
1. how to ensure the completeness, reliability and no secret leakage of file data.
2. How to ensure that only legitimate users can access the relevant files.
To solve the two problems, data encryption and authentication authorization management technology are required, which is also the core technology of secure storage. In the secure storage, the file is changed into a scrambled code (encrypted) by using a technical means and is restored (decrypted) by using the same or different means when the file is used. Therefore, the file is stored and used in a ciphertext state and a plaintext state. Not only ensures the safety, but also can be conveniently used. The encryption includes two elements: algorithms and keys techniques for encrypting data fall into two categories, namely symmetric encryption (private key encryption) and asymmetric encryption (public key encryption). Symmetric Encryption is typified by the Data Encryption Standard (DES) algorithm, and asymmetric Encryption is typically typified by the RSA (Rivest Shamir Ad1 eman) algorithm. Symmetric encryption has the same encryption key and decryption key, while asymmetric encryption has different encryption key and decryption key, the encryption key can be public and the decryption key needs to be secret.
Generally, an asymmetric key is mainly used for identity authentication, or to protect a symmetric key. And the daily data encryption generally uses a symmetric key.
Modern mature encryption and decryption algorithms have reliable encryption strength and are difficult to break forcibly unless the correct key can be held. When the safe storage product is actually deployed, if higher-strength identity authentication is required, the U-key can be used, and the authentication equipment is widely applied to online banking.
By adopting encryption and identity authentication technology, the storage has reliable guarantee.
The encryption method used as the most common virtual machine image storage is as follows: processing is done where the block device reads and writes the function. The data is encrypted in write, decrypted in read, the key can be dynamically transmitted or stored in a key fob, and the specific encryption algorithm can be selected according to the use scene.
The secure storage is also storage in nature, and can be used as a remote distributed storage center for files and data. Compared with the common storage, the distributed storage is safer and more reliable, and can be competent for the fields needing confidentiality. If the data is placed in one place, all the data can be obtained by cracking once, and if the data is placed in different places, the complete data can be completely recovered only by cracking a plurality of places at the same time, and a plurality of remote storage centers are required to be cracked at the same time. Therefore, the scheme is that the disk mirror image is composed of a plurality of blocks, data are dispersed in each mirror image file, and each mirror image file can be stored in different data centers. Therefore, even if one of the 1 data centers is cracked, the mirror image content of the disk cannot be restored. Therefore, the virtual disk file is required to support the block storage, and different storage blocks are placed in different storage positions. The patent aims at enabling a disk image file in a qcow2 format to be stored in different files in blocks, and reading previously stored data from each storage block during operation. Therefore, the data of the virtual machine is stored to different positions, and the purpose of storage safety is achieved.
The invention discloses a Chinese patent of 'a method for creating disk mirror image file encryption snapshot and using and a storage medium' (the patent number is CN 109376119A). The embodiment of the invention discloses a method for creating an encrypted snapshot of a disk image file, a method for using the encrypted snapshot and a storage medium, and belongs to the field of virtualization. The method for creating the disk image file encrypted snapshot comprises the following steps: analyzing the key parameters to generate cipher information of the cipher for the encryption and decryption files; copying the cipher information of the cipher to a source file operation option; opening the source file according to the operation option of the source file; and judging whether the source file is opened successfully, if so, creating a snapshot and setting the encryption information of the snapshot. When the snapshot is operated, the embodiment of the invention can decrypt the source file by using the snapshot key, thereby changing the problem that the keys cannot be simultaneously transmitted to the source file and the snapshot in the existing function and realizing the encryption function and the snapshot function at the same time. The method realizes the creation of the disk image file encrypted snapshot of Qemu Qcow2. This does not improve the security of the encryption, mainly the simultaneous implementation of the encryption and snapshot functions.
The invention discloses a method and a system for protecting private information of a trusted virtual machine vTPM based on tenant identity information (patent number CN 111683052A). The invention discloses a method and a system for protecting private information of a trusted virtual machine vTPM based on tenant identity information, wherein the method comprises the following steps: establishing two non-migratable keys RSA _ local and RSA _ mig of a physical trusted platform module, and generating a corresponding digital Certificate _ mig for the RSA _ mig key; generating and storing identity authentication information on a local host by a cloud tenant; when a trusted virtual machine is created, respectively creating a vTPM tag for a vTPM instance of each virtual machine; acquiring identity authentication information of identity _ info, vTPM labels and tenant _ info, and checking integrity, timeliness, legality and consistency; and similarly, in the running stage and the migration stage of the trusted virtual machine, in the exiting stage, the destroying stage, the suspending stage and the snapshot stage, the integrity, the timeliness, the legality and the consistency of the corresponding fields are checked. The invention can perform safety protection of the whole life cycle of the vTPM based on libtpms software simulation added to the IaaS cloud platform based on the KVM virtualization technology, and prevent the leakage of private information. The patent uses a TPM module to carry out the availability verification, and the disk safety is not protected under the shutdown condition.
Chinese invention patent 'virtual machine data protection system and method' (patent number: CN 103902884A). The patent discloses a virtual machine data protection system and method, and relates to the technical field of cloud computing virtualization data security. The aim of safely accessing the data of the virtual machine is fulfilled by verifying, marking and network controlling the request for accessing the data of the virtual machine in the Domain0 and combining the data behavior and flow direction monitoring in the virtual machine. The problem that under the environment of a multi-tenant virtual machine, due to the fact that service deployed by the virtual machine has a bug or configuration errors and the fact that an application or a kernel of the virtual machine has a bug, the virtual machine is illegally accessed by other out-of-cloud or other virtual machines is solved. This patent is primarily directed to data security at runtime.
The invention patent of China 'a method for safely storing and quickly calling data and a mobile terminal' (patent number: CN 109829324A). The invention discloses a method for safely storing and quickly calling data and a mobile terminal, comprising the following steps: encrypting data which needs to be stored in an open public path by a system; storing the encrypted data under the open public path; decrypting the data under the open public path, storing the decrypted data into a virtual memory, and forming a path after mapping according to a storage address; and modifying the system call interface of which the access path is defaulted to the open public path, and modifying the access path of the system call interface to the mapped path so as to enable the system to call the decrypted data from the virtual memory for use. The invention not only can solve the problem of safe storage of data under the default path of the system, but also can improve the calling speed of the data, avoid the phenomena of system jamming, no response and the like, and well solve the contradiction between the data storage safety problem and the data calling rapidity problem. This patent only addresses encryption of data stored under an open public path.
The invention discloses a Chinese patent of a mobile terminal data safe storage method based on a virtual disk (patent number: CN 109325355A). The invention provides a mobile terminal data safe storage method based on a virtual disk, and belongs to the field of information safety. The working mode of the invention is that firstly, an independent disk partition is created in the hard disk, a file simulation disk partition with fixed size is created, and then the file content is formatted into a self-defined file system, so that the file simulation disk can be simulated into a disk, namely a virtual disk. And finally, by combining a real-time encryption technology and adding an encryption and decryption method in the process of reading and writing the disk, the safety of data can be ensured. The invention customizes an encryption file system for the independent disk partition, constructs encryption and decryption pipelines of plaintext in the memory and ciphertext on the disk, avoids the disk from leaving plaintext traces, and provides transparent data protection. The invention has higher security and flexibility, provides powerful protection for data in the mobile terminal, can customize an encrypted file system and an identity verification mechanism, and can also provide various encryption algorithms and working modes. The encryption mode implemented by this patent is that qemu already supports the encryption of data segments of the disk.
The invention discloses a Chinese patent of 'a differential virtual disk linking method' (patent number: CN 108228108A). The patent discloses a method for linking differential virtual disks, which comprises the following steps: 1) The file format of the differential virtual disk is improved, and recorded path information of the original virtual disk is modified into URL path information which can be accessed through a network from the current absolute path or relative path in the physical machine system; 2) Improving virtual disk drive, reading and writing a differential virtual disk, depending on the virtual disk drive, and accessing an original virtual disk file on a server by the virtual disk drive through an IP network according to network path information recorded by the differential virtual disk; 3) The virtual disk access service comprises a host storing original virtual disk files, a network service providing original virtual disk access, a differential virtual disk host monitoring access requests and an original virtual disk read-write operation according to the requests; the method has the characteristics that the differential virtual disk and the original virtual disk are separately deployed and are accessed across the host, and has the advantages of convenience for rapid deployment and consideration of data safety and access rate. The patent is realized by the characteristic of 'backing file' in a qcow2 format, a certain mirror image is used as a reference disk (the most basic OS file and data are generally installed), other disks needing the base can designate the mirror image as the backing file, the contents written in the following difference can be written into respective virtual disks, if multi-stage backing files are created, data redundancy can be caused by modifying the previous data, and the cost of the partitioned disk space is very high.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a virtual disk safe storage method, which comprises the following steps:
step S1: a qemu-img tool is used for creating a group of blocked virtual disk files, and the blocking information of the virtual disk files is written into the file header of a first virtual disk file;
step S2: starting a virtual machine, appointing a first virtual disk file of a virtual disk image through a qemu-kvm program, reading the blocking information, and finding out images of other virtual disk files;
and step S3: opening a qcow2 virtual disk mirror image at qemu, and establishing block meta information through block information;
and step S4: and respectively sending the corresponding read-write requests to the virtual disk files of the corresponding virtual disk images for processing according to the range of the blocks of the corresponding read-write requests.
In step S1, a set of blocked virtual disk files is created through the following command lines:
qemu-img create-f qcow 2-d parameter 1 xxxx. Qcow2 parameter 2;
wherein, the parameter 1 is the size of each created virtual disk file, and the parameter 2 is the size of the whole virtual disk mirror image.
In the step S1, an image positioning layer is added to a source code of the qcow2_ co _ create _ opt function, so as to determine an addressing range for each created virtual disk file;
in the step S2, a mirror image positioning layer is added into a source code of a qcow2_ open function, the blocking information in the first virtual disk file is read, and the mirror images of other virtual disk files are found;
in the step S4, a mirror image positioning layer is added to the source code of the qcow2_ co _ preadv and the qcow2_ co _ pwritev functions, so that the virtual disk file of the corresponding virtual disk mirror image is determined when the read-write request is processed.
In step S4, the mirror positioning layer added to the source code of the qcow2_ co _ preadv and qcow2_ co _ pwritev functions includes an offset parameter and a bytes parameter, where the offset parameter is used to determine an offset position of the virtual disk image, and the bytes parameter is used to determine a requested content size.
In step S1, adding a field div _ img _ size to a file header of an image of the first virtual disk file to save the blocking information of the virtual disk file.
In step S1, the blocking information of the virtual disk file is stored in the following directory of the file header of the first virtual disk file: uint64_ t div _ img _ size//.
According to the method for safely storing the virtual disk, provided by the invention, the data is stored in different virtual disk files, and the content of the complete mirror image cannot be recovered under the condition that a part of the mirror image is stolen, so that the safety of the data in the virtual disk mirror image is ensured.
Drawings
FIG. 1: the underlying technology of the present invention contemplates a logic diagram.
FIG. 2: a prior art virtual disk image IO addressing flow chart.
FIG. 3: the invention relates to an IO addressing flow chart based on partitioned qcow2 virtual disk mirror images.
Detailed Description
In order to further understand the technical scheme and the advantages of the present invention, the following detailed description of the technical scheme and the advantages thereof is provided in conjunction with the accompanying drawings.
FIG. 1 is a logic diagram of the basic concept of the present invention: at present, the qcow2 virtual disk image used in most cases is stored in a file, and if the backing file function is used, a gold image may be also used. If information leakage occurs at the place where the virtual disk image file is stored, all data stored in the virtual machine can be easily acquired by a thief. However, if the virtual disk image can be composed of a plurality of files together, and then each blocked image is placed at a different position, it is better than that "eggs are placed in different baskets", and if a thief only takes a part of the image, the content in the complete image cannot be recovered at all. Therefore, the safety of the data in the virtual disk image is improved by storing the virtual disk image to different positions in blocks.
In order to achieve the above object, the following problems need to be solved:
1. how to divide into blocks
In order to avoid increasing the addressing complexity, a blocking strategy can specify the addressable range of each block when a virtual disk image (qemu-img create) is manufactured, the operating range automatically creates the next block image, each block is in a qcow2 format, the storage space occupied by the block is small during creation, and the qcow2 best characteristic is kept as continuous data is written into the image and is slowly expanded.
2. Block storage of memory mirror image is realized by intercepting read-write request of virtual machine at which layer
The mirrored block storage is realized by modifying the source code of qcow2_ co _ create _ opt/qcow2_ open/qcow2_ co _ preadv/qcow2_ co _ pwritev in qcow2.C in the qemu source codes, and adding a mirror positioning layer (to which mirror read and write the read and write request is distributed) into the modified source code.
3. Where blocking information is stored
The partition size is recorded by the div _ img _ size field in the qcow2 header of the first virtual disk file. This also distinguishes who is the first mirror. The next time the switch is opened, the block information is read out.
Aiming at the technical problem to be solved, the invention mainly analyzes from the principle of the qcow2 format, optimizes the codes related to the qcow2 format mirror image in the qemu source codes, and adds mirror image positioning layer codes by modifying a qcow2 series interface method to realize the block storage of the mirror image without influencing the original using interface and habit.
Fig. 2 is a flowchart of a virtual disk image IO addressing process in the prior art, where the qcow2 general addressing process is as follows: and positioning the qcow2_ header to the position of the Level1 table in the virtual disk image, searching the position of the Level2 table corresponding to addressing in the Level1 table, and searching the offset corresponding to the cluster for specifically storing the data.
After the qcow2 block design of the present invention is added, the flow chart is shown in fig. 3, based on which, the secure storage method of the virtual disk of the present invention is formed:
1. creating a partitioned virtual disk image using a qemu-img tool
Assuming that an 80G virtual disk image needs to be blocked into 8 virtual disk files, the following command lines are used: qemu-img create-f qcow 2-d 10g xxxx. Qcow2 80G, which can automatically create a group of blocked virtual disk files according to the specified virtual disk image size, and when creating, an image positioning layer is added into a source code of a qcow2_ co _ create _ opt function to determine an addressing range for each created virtual disk file; the information of the block size, etc. can be written into the file header of the first virtual disk file. Specifically, a field (div _ img _ size) is added at the end of the QCowHeader to save the information of the "block size" in the first virtual disk file.
[0-10G]: xxxx.qcow2
[10-20G]: xxxx.qcow2.div1
[20-30G]: xxxx.qcow2.div2
[30-40G]: xxxx.qcow2.div3
[40-50G]: xxxx.qcow2.div4
[50-60G]: xxxx.qcow2.div5
[60-70G]: xxxx.qcow2.div6
[70-80G]: xxxx.qcow2.div7。
Therefore, the partitioned virtual disk image is already created, and then the virtual machine needs to know that the created virtual disk image is the partitioned virtual disk image, that is, the partition information needs to be read when the virtual machine is started.
2. Starting a virtual machine, designating a first partitioned virtual disk file of a virtual disk image through a qemu-kvm program, reading the size of a partition, finding partitioned images of other virtual disk files, and determining the range of each virtual disk file responsible for storage; specifically, a mirror image positioning layer is added into a source code of the qcow2_ open function, the blocking information in the first virtual disk file is read, and the mirror images of other virtual disk files are found.
3. And opening a qcow2 virtual disk image at qemu, and establishing block meta information through block information. Specifically, after reading the block information of the first virtual disk file, the virtual machine knows the block images of all the virtual disk files, and then enables the program to embody data on the block information through meta information, that is, the block information of the virtual disk image is loaded into a memory after being subjected to data description through the meta information, so as to form a data model, so that the program can be addressed through the meta information, and when performing corresponding read-write operation, the program does not need to repeatedly read the block information from the file header of the first virtual disk file.
At this point, the blocking operation of the virtual disk image is completed, and then the read-write operation for the virtual disk image may be performed.
When reading and writing operations are carried out on the virtual disk mirror image, the file system layer can automatically manage the virtual disk mirror image, the position from which a newly-built file is written is automatically divided, and the program addresses according to the information fed back by the file system layer and finishes reading and writing.
4. Read request operation
When qcow2 of qemu processes a read request, the request is respectively sent to the virtual disk files partitioned by the corresponding virtual disk images according to the partition range for processing. By adding a mirror image positioning layer in a source code of a qcow2_ co _ preadv function, a virtual disk file of a corresponding virtual disk mirror image is ensured to be addressed when a read request is processed, and the method specifically comprises the following steps:
(1) Parameters of the qcow2_ co _ preadv function include offset (virtual disk offset position) and bytes (requested content size), and the request is divided according to the range of the virtual disk file responsible for the virtual disk image block, so that the IO request queue is divided.
(2) And constructing an environment context according to the virtual disk file to be dispatched according to the segmented request.
(3) And dispatching the divided request queue to execute according to the mirror image of the virtual disk file.
5. Write request operation
When the qcow2 of qemu processes the write request, the request is respectively sent to the virtual disk files partitioned by the corresponding virtual disk mirror images according to the partition range to be processed. Adding a mirror image positioning layer in a source code of a qcow2_ co _ pwritev function to realize that a virtual disk file of a corresponding virtual disk mirror image is addressed when a write request is processed, and the method specifically comprises the following steps:
(1) Parameters of the qcow2_ co _ pwritev function include offset (virtual disk offset position) and bytes (content size of the request), and the request is divided according to the range of the virtual disk file responsible for the blocks divided by the virtual disk image, so that the IO request queue is divided.
(2) And constructing an environment context according to the divided virtual disk file to be dispatched according to the request.
(3) And dispatching the divided request queue to execute according to the mirror image of the virtual disk file.
In the invention, the virtual disk file is a storage mode which simulates hard disk equipment by using a file and is used for a virtual machine. The disk of the virtual machine viewed from Host is a file, and the disk of the virtual machine viewed from Guest is not different from a common hard disk.
In the invention, the so-called 'QCOW 2 format' is called as Qemu copy on write format, the Qemu virtual machine dynamically increases the virtual disk mirror image format when the 'write' operation occurs, and the native mirror image format (RAW) has the biggest characteristic that the space is allocated when the data is really needed to be stored, so that the disk space on the Host is saved. The qcow2 mirror format is organized by a number of fixed-size units, called cluster. Both the actual user data (guest data) and the mirrored metadata (metadata) are stored in one cluster unit.
Compared with the prior art, the invention has the advantages that:
1. the invention scatters the previous disk image file into different image files, thereby avoiding the problem that one disk image is stolen and all data in the whole virtual disk can be cracked.
2. The strategy of disk blocking can also have more safety designs, and the safety encryption strategy can be customized according to the use scene without using the blocking strategy in a fixed range.
3. The invention can be realized on the basis of not changing the use interface and the use habit of the original virtual machine, and has good compatibility to the upper layer libvirt and the like.
Although the present invention has been described with reference to the preferred embodiments, it should be understood that various changes and modifications can be made therein by those skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (6)
1. A virtual disk secure storage method is characterized by comprising the following steps:
step S1: a qemu-img tool is used for creating a group of blocked virtual disk files, and the blocking information of the virtual disk files is written into the file header of a first virtual disk file;
step S2: starting a virtual machine, appointing a first virtual disk file of a virtual disk image through a qemu-kvm program, reading the blocking information, and finding out images of other virtual disk files;
and step S3: opening a qcow2 virtual disk mirror image at qemu, and establishing block meta information through block information;
and step S4: and respectively sending the corresponding read-write requests to the virtual disk files of the corresponding virtual disk images for processing according to the range of the blocks of the corresponding read-write requests.
2. The method for virtual disk secure storage according to claim 1, wherein in step S1, a set of blocked virtual disk files is created through the following command lines:
qemu-img create-f qcow 2-d parameter 1 xxxx. Qcow2 parameter 2;
wherein, the parameter 1 is the size of each created virtual disk file, and the parameter 2 is the size of the whole virtual disk mirror image.
3. The secure storage method of a virtual disk according to claim 1, wherein in step S1, an addressing range is determined for each created virtual disk file by adding a mirror image positioning layer to a source code of a qcow2_ co _ create _ opt function;
in the step S2, a mirror image positioning layer is added to the source code of the qcow2_ open function, so as to read the block information in the first virtual disk file and find out the mirror images of other virtual disk files;
in the step S4, a mirror image positioning layer is added to the source code of the qcow2_ co _ preadv and the qcow2_ co _ pwritev functions, so that the virtual disk file of the corresponding virtual disk mirror image is determined when the read-write request is processed.
4. The method for virtual disk secure storage according to claim 3, wherein in step S4, the image location layer added to the source code of the qcow2_ co _ preadv and qcow2_ co _ pwritev functions includes an offset parameter and bytes parameter, wherein the offset parameter is used for determining the offset position of the virtual disk image, and the bytes parameter is used for determining the requested content size.
5. The method for securely storing a virtual disk according to claim 1, wherein in step S1, the block information of the virtual disk file is saved by adding a field div _ img _ size to a file header of the image of the first virtual disk file.
6. The method for securely storing a virtual disk according to claim 5, wherein in step S1, the block information of the virtual disk file is stored in the following directory of the file header of the first virtual disk file: uint64_ t div _ img _ size//.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211068135.2A CN115146318B (en) | 2022-09-02 | 2022-09-02 | Virtual disk safe storage method |
PCT/CN2022/137630 WO2024045407A1 (en) | 2022-09-02 | 2022-12-08 | Virtual disk-based secure storage method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211068135.2A CN115146318B (en) | 2022-09-02 | 2022-09-02 | Virtual disk safe storage method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115146318A true CN115146318A (en) | 2022-10-04 |
CN115146318B CN115146318B (en) | 2022-11-29 |
Family
ID=83415825
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211068135.2A Active CN115146318B (en) | 2022-09-02 | 2022-09-02 | Virtual disk safe storage method |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN115146318B (en) |
WO (1) | WO2024045407A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115629716A (en) * | 2022-12-07 | 2023-01-20 | 广东睿江云计算股份有限公司 | Defragmentation method and defragmentation system based on disk mirror image file |
WO2024045407A1 (en) * | 2022-09-02 | 2024-03-07 | 麒麟软件有限公司 | Virtual disk-based secure storage method |
Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101373441A (en) * | 2008-09-19 | 2009-02-25 | 苏州壹世通科技有限公司 | Virtual platform system based on firmware |
CN102891876A (en) * | 2011-07-22 | 2013-01-23 | 中兴通讯股份有限公司 | Method and system for distributed data encryption under cloud computing environment |
CN103563278A (en) * | 2011-05-20 | 2014-02-05 | 西里克斯系统公司 | Securing encrypted virtual hard disks |
CN109032499A (en) * | 2018-06-09 | 2018-12-18 | 西安电子科技大学 | A kind of data access method of Distributed Storage, information data processing terminal |
US20190050247A1 (en) * | 2016-01-29 | 2019-02-14 | British Telecommunications Public Limited Company | Disk encryption |
CN109376119A (en) * | 2018-10-30 | 2019-02-22 | 郑州云海信息技术有限公司 | It is a kind of to create disk mirroring file encryption snapshot, the method used and storage medium |
CN110058813A (en) * | 2019-03-15 | 2019-07-26 | 启迪云计算有限公司 | It is a kind of that management method is locally stored based on the storage of cloud platform block |
US20200026473A1 (en) * | 2017-03-31 | 2020-01-23 | Huawei Technologies Co., Ltd. | Virtual Disk File Format Conversion Method and Apparatus |
CN113641467A (en) * | 2021-10-19 | 2021-11-12 | 杭州优云科技有限公司 | Distributed block storage implementation method of virtual machine |
CN113821170A (en) * | 2021-08-31 | 2021-12-21 | 济南浪潮数据技术有限公司 | Distributed storage system, access method and component |
CN113961892A (en) * | 2021-11-04 | 2022-01-21 | 杭州安恒信息技术股份有限公司 | Account security control method and system, readable storage medium and computer equipment |
CN114201755A (en) * | 2021-12-15 | 2022-03-18 | 电子科技大学广东电子信息工程研究院 | Out-of-domain security detection method for file system of virtual machine |
CN114491421A (en) * | 2022-01-21 | 2022-05-13 | 北京字跳网络技术有限公司 | File encryption method, file processing method, file encryption device, file processing device, readable medium and electronic equipment |
CN114968128A (en) * | 2022-07-28 | 2022-08-30 | 云宏信息科技股份有限公司 | Qcow 2-based virtual disk mapping method, system and medium |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103516755B (en) * | 2012-06-27 | 2017-07-14 | 华为技术有限公司 | Virtual memory method and equipment |
CN109933278A (en) * | 2017-12-19 | 2019-06-25 | 中国电信股份有限公司 | For realizing the method and apparatus of block device carry access |
CN115146318B (en) * | 2022-09-02 | 2022-11-29 | 麒麟软件有限公司 | Virtual disk safe storage method |
-
2022
- 2022-09-02 CN CN202211068135.2A patent/CN115146318B/en active Active
- 2022-12-08 WO PCT/CN2022/137630 patent/WO2024045407A1/en unknown
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101373441A (en) * | 2008-09-19 | 2009-02-25 | 苏州壹世通科技有限公司 | Virtual platform system based on firmware |
CN103563278A (en) * | 2011-05-20 | 2014-02-05 | 西里克斯系统公司 | Securing encrypted virtual hard disks |
CN102891876A (en) * | 2011-07-22 | 2013-01-23 | 中兴通讯股份有限公司 | Method and system for distributed data encryption under cloud computing environment |
US20190050247A1 (en) * | 2016-01-29 | 2019-02-14 | British Telecommunications Public Limited Company | Disk encryption |
US20200026473A1 (en) * | 2017-03-31 | 2020-01-23 | Huawei Technologies Co., Ltd. | Virtual Disk File Format Conversion Method and Apparatus |
CN109032499A (en) * | 2018-06-09 | 2018-12-18 | 西安电子科技大学 | A kind of data access method of Distributed Storage, information data processing terminal |
CN109376119A (en) * | 2018-10-30 | 2019-02-22 | 郑州云海信息技术有限公司 | It is a kind of to create disk mirroring file encryption snapshot, the method used and storage medium |
CN110058813A (en) * | 2019-03-15 | 2019-07-26 | 启迪云计算有限公司 | It is a kind of that management method is locally stored based on the storage of cloud platform block |
CN113821170A (en) * | 2021-08-31 | 2021-12-21 | 济南浪潮数据技术有限公司 | Distributed storage system, access method and component |
CN113641467A (en) * | 2021-10-19 | 2021-11-12 | 杭州优云科技有限公司 | Distributed block storage implementation method of virtual machine |
CN113961892A (en) * | 2021-11-04 | 2022-01-21 | 杭州安恒信息技术股份有限公司 | Account security control method and system, readable storage medium and computer equipment |
CN114201755A (en) * | 2021-12-15 | 2022-03-18 | 电子科技大学广东电子信息工程研究院 | Out-of-domain security detection method for file system of virtual machine |
CN114491421A (en) * | 2022-01-21 | 2022-05-13 | 北京字跳网络技术有限公司 | File encryption method, file processing method, file encryption device, file processing device, readable medium and electronic equipment |
CN114968128A (en) * | 2022-07-28 | 2022-08-30 | 云宏信息科技股份有限公司 | Qcow 2-based virtual disk mapping method, system and medium |
Non-Patent Citations (3)
Title |
---|
曹瑛: "数据库服务器(SQL SERVER)安全机制与磁盘镜像的初探", 《航空精密制造技术》 * |
罗爱玲等: "VMware服务器虚拟化在企业管理中的应用", 《科技创新与应用》 * |
陈春媛: "基于qcow2镜像格式的快照技术", 《信息与电脑(理论版)》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024045407A1 (en) * | 2022-09-02 | 2024-03-07 | 麒麟软件有限公司 | Virtual disk-based secure storage method |
CN115629716A (en) * | 2022-12-07 | 2023-01-20 | 广东睿江云计算股份有限公司 | Defragmentation method and defragmentation system based on disk mirror image file |
CN115629716B (en) * | 2022-12-07 | 2023-04-11 | 广东睿江云计算股份有限公司 | Defragmentation method and defragmentation system based on disk mirror image file |
Also Published As
Publication number | Publication date |
---|---|
WO2024045407A1 (en) | 2024-03-07 |
CN115146318B (en) | 2022-11-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN115146318B (en) | Virtual disk safe storage method | |
US12052356B2 (en) | Method and apparatus for data storage and verification | |
CN109800050B (en) | Memory management method, device, related equipment and system of virtual machine | |
KR100737628B1 (en) | Attestation using both fixed token and portable token | |
WO2021164166A1 (en) | Service data protection method, apparatus and device, and readable storage medium | |
CN100378689C (en) | Enciphered protection and read write control method for computer data | |
US20060174352A1 (en) | Method and apparatus for providing versatile services on storage devices | |
KR950029930A (en) | Method and device for securing file access | |
CN109508224B (en) | User data isolation protection system and method based on KVM | |
WO2011137743A1 (en) | File protection method and system | |
JP2005527019A (en) | Multi-token seal and seal release | |
CN107526974B (en) | Information password protection device and method | |
JP2004510367A (en) | Protection by data chunk address as encryption key | |
JPH10312335A (en) | Data processing method and processor therefor | |
CN110569651A (en) | file transparent encryption and decryption method and system based on domestic operating system | |
WO2023010834A1 (en) | Method and apparatus for starting embedded linux system, and storage medium | |
CN115758420B (en) | File access control method, device, equipment and medium | |
CN106682521A (en) | File transparent encryption and decryption system and method based on driver layer | |
CN113342473A (en) | Data processing method, migration method of secure virtual machine, related device and architecture | |
CN109376119B (en) | Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium | |
CN101447009A (en) | Method, device and system for installing software | |
CN101447013A (en) | Method, device and system for running software | |
KR100948386B1 (en) | Apparatus and method for saving original data in computer system | |
CN111190695A (en) | Virtual machine protection method and device based on Roc chip | |
CN110134339A (en) | A kind of data guard method and system based on file virtual disk |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |